Earlier this month, Securities and Exchange Commission announced a settlement with Morgan Stanley over the firm’s data security practices, resulting in a $1 million fine and a cease-and-desist order. The SEC charged Morgan Stanley with violating the Commission’s “Safeguards Rule” by its “failure to adopt written policies and procedures reasonably designed to protect consumer records and information.” These failures allowed an employee to access and transfer the personal data of 730,000 accounts to his personal server, which was ultimately hacked by third parties. Yet, at the same time the SEC was criticizing Morgan Stanley’s data security practices, the Commission’s own security performance received a negative review from the SEC Inspector General.